Thanks for taking a look Eleanor, it helps knowing that I should just use MESSAGE to verify. But yes you're right, the MESSAGE data I gave you in the testcase turned out to be wrong.
I did figure out how to verify the sig, but not using ICSF. I suspect I'm creating the Public key token incorrectly ... which is strange because it seems pretty straightforward, and I've been able to sign/verify properly before using a private/public key pair I generated from a PKB call.
So the way I did verify successfully was with openSSL.
The message data is in test.hex, and I then use certreq to convert into ASCII: certutil -decodehex "test.hex" "test.txt"
For convenience I also attached test.txt.
signature.sha256 is a binary transfer from zOS, same data as the sig field in my REXX.
rsapub.pem is the pub key I extracted from pub.der, which is what I grabbed the modulus from for my REXX.
So if you run "openssl dsgt -sha256 -verify rsapub.pem -signature sig.sha256 test.txt"
it should verify OK.
My problem now is that I'm trying to verify using ICSF with what should be the correct data, but it's not working. Like I said above I suspect it might be the public key token, so once I get the appropriate access (ugh) ... I'm going to add the cert into the PKDS and try again.
If you have the time please help me take a look again, thanks!
hermanpun